Accessing and Configuring the Red Hat Registry

    The new registry, registry.redhat.io, requires authentication for access to images and hosted content on OKD. Following the move to the new registry, the existing registry will be available for a period of time.

    The new registry uses standard OAuth mechanisms for authentication, with the following methods:

    • Authentication token. Tokens, which are generated by administrators, are service accounts that give systems the ability to authenticate against the container image registry. Service accounts are not affected by changes in user accounts, so the token authentication method is reliable and resilient. This is the only supported authentication option for production clusters.

    • Web username and password. This is the standard set of credentials you use to log in to resources such as access.redhat.com. While it is possible to use this authentication method with OKD, it is not supported for production deployments. Restrict this authentication method to stand-alone projects outside OKD.

    You can use docker login with your credentials, either username and password or authentication token, to access content on the new registry.

    All image streams point to the new registry. Because the new registry requires authentication for access, there is a new secret in the OpenShift namespace called imagestreamsecret.

    You must place your credentials in two places:

    • OpenShift namespace. Your credentials must exist in the OpenShift namespace so that the image streams in the OpenShift namespace can import.

    • Your host. Your credentials must exist on your host because Kubernetes uses the credentials from your host when it goes to pull images.

    To access the new registry:

    • Verify image import secret, imagestreamsecret, is in your OpenShift namespace. That secret has credentials that allow you to access the new registry.

    • Verify all of your cluster nodes have a /var/lib/origin/.docker/config.json, copied from master, that allows you to access the Red Hat registry.

    If you are a Red Hat customer with entitlements to Red Hat products, you have an account with applicable user credentials. These are the username and password that you use to log in to the Red Hat Customer Portal.

    If you do not have an account, you can acquire one for free by registering for one of the following options:

    • . This account gives you access to developer tools and programs.

    • 30-day Trial Subscription. This account gives you a 30-day trial subscription with access to select Red Hat software products.

    You must create tokens if your organization manages shared accounts. Administrators can create, view, and delete all tokens associated with an organization.

    Prerequisites

    • User credentials

    Procedure

    To create a token in order complete a :

    1. Navigate to registry.redhat.io.

    1. From the Registry Service Accounts page, click Create Service Account

      1. Provide a name for the service account. It will be prepended with a random string.

      2. Enter a description.

      3. Click create.

    1. Navigate back to your Service Accounts.

    2. Click the Service Account you created.

    3. Copy the username, including the prepended string.

    4. Copy the token.

    You can also manage registry credentials during installation or upgrade using the Ansible installer.

    This will set up the following:

    • imagestreamsecret in your OpenShift namespace.

    • Credentials on all nodes.

    Prerequisites

    • User credentials

    • Service account

    • Service account token

    Procedure

    To manage registry credentials during installation or upgrade using the Ansible installer:

    • During installation or upgrade, specify the oreg_auth_user and oreg_auth_password variables in your installer inventory.

    Clusters that require access to additional authenticated registries can configure a list of registries by setting openshift_additional_registry_credentials. Each registry requires a host and password value, you can specify a username by setting user. By default the credentials specified are validated by attempting to inspect the image openshift3/ose-pod on the specified registry.

    To specify an alternate image, either:

    If the registry is insecure, set to False.

    All credentials in this list will have an imagestreamsecret created in the OpenShift namespace and credentials deployed to all nodes.

    For example:

    Once you have created your service accounts and generated tokens for the Red Hat Registry, you can perform additional tasks.

    Prerequisites

    • User credentials

    • Service account

    • Service account token

    Procedure

    From your page, click on your account name. From there, you can perform the following tasks:

    • From the Token Information tab, you can view your username (the name you provided prepended with a random string) and password (token). From this tab, you can regenerate your token.

    • From the OpenShift Secret tab, you can:

      1. Download the secret by clicking the link in the tab.

      2. Submit the secret to the cluster:

        1. # oc create -f <account-name>-secret.yml --namespace=openshift

      3. Update your Kubernetes configuration by adding a reference to the secret to your Kubernetes pod configuration with an imagePullSecrets field, for example:

    • From the Docker Login tab, you can run docker login. For example:

      1. # docker login -u='<numerical-string|account-name>'
      2.   -p=<token>

      After you successfully log in, copy ~/.docker/config.json to /var/lib/origin/.docker/config.json and restart the node.

    • From the Docker Configuration tab, you can:

      1. Download the credentials configuration by clicking the link in the tab.

      2. Write the configuration to the disk by placing the file in the Docker configuration directory. This will overwrite existing credentials. For example:

        1. # mv <account-name>-auth.json ~/.docker/config.json